diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml
index f3c90cac1f0..7aea46e7747 100644
--- a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml
+++ b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis"]
 maturity = "production"
-updated_date = "2025/11/19"
+updated_date = "2025/11/24"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "esql"
 query = '''
-from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
+from logs-nginx.error-*, logs-apache_tomcat.error-*, logs-apache.error-*, logs-iis.error-*
 | keep
     @timestamp,
     event.type,